Protocols and Standards-Router IOS Commands Related-Catalyst IOS Commands

This section lists additional details and facts to round out the coverage of the topics in this chapter.
Unlike most of the Cisco Press Exam Certification Guides, this “Foundation Summary” does not
repeat information presented in the “Foundation Topics” section of the chapter. Please take the
time to read and study the details in the “Foundation Topics” section of the chapter, as well as
review items noted with a Key Topic icon.
Table 18-11 lists some of the key protocols covered in this chapter.
Table 18-12 lists some of the most popular router IOS commands related to the topics in this chapter.
Table 18-11 Protocols and Standards for Chapter 18
Name Standard
RADIUS RFC 2865
Port-Based Network Access Control IEEE 802.1X
EAP RFC 3748
A One-Time Password System RFC 2289
Router Security RFCs 2827 and 3704
Next Hop Resolution Protocol (NHRP) RFC 2332
Table 18-12 Router IOS Commands Related to Chapter 18
Command Description
service password-encryption Global command to enable simple encryption of
passwords
server ip-address [auth-port port-number]
[acct-port port-number]
Global command to define a RADIUS server and
ports used
aaa group server radius | tacacs+ group-name Global command to create the name of a group of
AAA servers
server ip-address AAA group mode; defines a TACACS+ server
server ip-address [auth-port port-number]
[acct-port port-number]
AAA group mode; defines a RADIUS server and
ports used
radius-server host {hostname | ip-address}
[auth-port port-number] [acct-port portnumber]
[timeout seconds] [retransmit retries]
[key string] [alias{hostname | ip-address}]
Global mode; defines details regarding a single
RADIUS server
Foundation Summary 687
Command Description
radius-server key {0 string | 7 string | string} Global mode; defines the key used to encrypt
RADIUS passwords
tacacs-server host {host-name | host-ipaddress}
[key string] [nat] [port [integer]]
[single-connection] [timeout [integer]]
Global mode; defines details regarding a single
TACACS+ server
tacacs-server key key Global mode; defines the key used to encrypt the
TACACS+ payload
aaa authentication enable default method1
[method2...]
Global mode; defines the default authentication
methods used by the enable command
aaa authentication login {default | list-name}
method1 [method2...]
Global mode; defines the default authentication
methods used by console, vty, and aux logins
aaa authentication ppp {default | list-name}
method1 [method2...]
Global mode; defines the default authentication
methods used by PPP
aaa new-model Global mode; enables AAA globally in a router/
switch
login authentication {default | list-name} Line mode; defines the AAA group to use for
authentication
ppp authentication {protocol1 [protocol2...]}
[if-needed] [list-name | default] [callin] [onetime]
[optional]
Interface mode; defines the type of AAA
authentication used by PPP
auto secure [management | forwarding] [nointeract]
Global mode; automatically configures IOS with
Cisco’s recommended device security configuration
enable password [level level] {password |
[encryption-type] encrypted-password}
Global mode; defines the enable password
enable secret [level level] {password |
[encryption-type] encrypted-password}
Global mode; defines the enable password that is
MD5 hashed
ip verify unicast reverse-path [list] Interface subcommand; enables strict RPF
ip verify unicast source reachable-via {rx |
any} [allow-default] [allow-self-ping] [list]
Interface subcommand; enables strict or loose RPF
username name {nopassword | password
password}
Global mode; defines local usernames and passwords
username name secret {[0] password | 5
encrypted-secret}
Global mode; defines local usernames and MD5-
hashed passwords
continues
Table 18-12 Router IOS Commands Related to Chapter 18 (Continued)
688 Chapter 18: Security
Table 18-13 lists some of the Cisco 3550 switch commands used in this chapter. Also, refer to Tables
18-4 through 18-7. Note that all commands in Table 18-13 were copied from the version 12.2(25)SEB
3550 Command Reference at Cisco.com; the syntax may vary on different Cisco IOS–based switches.
Memory Builders
The CCIE Routing and Switching written exam, like all Cisco CCIE written exams, covers a fairly
broad set of topics. This section provides some basic tools to help you exercise your memory about
some of the broader topics covered in this chapter.
Command Description
ip tcp intercept list access-list-number Global mode; identifies an ACL to be used by TCP
intercept
ip tcp intercept mode {intercept | watch} Global mode; defines the mode used by TCP intercept
ip tcp intercept watch-timeout seconds Global mode; defines the timeout used before acting
to clean up an incomplete TCP connection
ip inspect name inspection-name protocol
[timeout seconds]
Configures inspection rules for CBAC
ip inspect inspection-name {in | out} Applies a CBAC inspection rule to an interface
Table 18-13 Catalyst IOS Commands Related to Chapter 21
Command Description
spanning-tree guard root Interface mode; enables Root Guard.
aaa authentication dot1x {default} method1 Global mode; defines the default authentication
method for 802.1X. Only one method is available,
because only RADIUS is supported.
arp access-list acl-name Global command; creates an ARP ACL with the
stated name.
dot1x system-auth-control Global command that enables 802.1X.
dot1x port-control {auto | force-authorized |
force-unauthorized}
Interface subcommand to define 802.1X actions on
the interface.
dot1x timeout {quiet-period seconds | reauthperiod
seconds | server-timeout seconds |
supp-timeout seconds | tx-period seconds}
Global command to set 802.1X timers.
Table 18-12 Router IOS Commands Related to Chapter 18 (Continued)
Memory Builders 689
Fill in Key Tables from Memory
Appendix E, “Key Tables for CCIE Study,” on the CD in the back of this book contains empty sets
of some of the key summary tables in each chapter. Print Appendix E, refer to this chapter’s tables
in it, and fill in the tables from memory. Refer to Appendix F, “Solutions for Key Tables for CCIE
Study,” on the CD to check your answers.
Definitions
Next, take a few moments to write down the definitions for the following terms:
AAA, authentication method, RADIUS, TACACS+, MD5 hash, enable password,
enable secret, ACS, SAFE Blueprint, DAI, port security, IEEE 802.1X, DHCP
snooping, IP Source Guard, man-in-the-middle attack, sticky learning, fraggle attack,
DHCP snooping binding database, EAP, EAPoL, OTP, Supplicant, authenticator,
authentication server, smurf attack, TCP SYN flood, TCP intercept, ACE, storm
control, CBAC, inspection rule, DMVPN
Refer to the glossary to check your answers.
Further Reading
Appendix E, “Key Tables for CCIE Study,” on the CD in the back of this book contains empty sets
of some of the key summary tables in each chapter. Print Appendix E, refer to this chapter’s tables
in it, and fill in the tables from memory. Refer to Appendix F, “Solutions for Key Tables for CCIE
Study,” on the CD to check your answers.
Network Security Principles and Practices, by Saadat Malik
Network Security Architectures, by Sean Convery
Cisco SAFE Blueprint Introduction: http://www.cisco.com/go/safe
“Configuring Context-Based Access Control”: http://www.cisco.com/en/US/docs/ios/12_0/
security/configuration/guide/sccbac.html
“Dynamic Multipoint VPN (DMVPN)”: http://www.cisco.com/en/US/products/sw/iosswrel/
ps1839/products_feature_guide09186a0080110ba1.html